Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Hr Press Lite Plugin Leaks Employee Data for Authorized Users
CVE-2026-2720
Summary
The Hr Press Lite plugin for WordPress stores employee data insecurely. This means that any authorized user can see sensitive information about coworkers, including names, contact details, and salary. To fix this, update to version 1.0.3 or higher or remove the plugin if it's not needed.
Original title
The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up ...
Original description
The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive employee information including names, email addresses, phone numbers, salary/pay rates, employment dates, and employment status.
nvd CVSS3.1
6.5
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/hr-press-lite/tags/1.0.2/admin/admin....
- https://plugins.trac.wordpress.org/browser/hr-press-lite/tags/1.0.2/includes/HRP...
- https://plugins.trac.wordpress.org/browser/hr-press-lite/trunk/admin/admin.php#L...
- https://plugins.trac.wordpress.org/browser/hr-press-lite/trunk/includes/HRP_Acti...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d2a63b8e-e16e-4702-be1...
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026